Beruflich Dokumente
Kultur Dokumente
LEARNER GUIDE
CONTENTS
1.1 – Review organisational processes, procedures and requirements for undertaking risk
management in accordance with current risk management standards in accordance with
current risk management standards .................................................................................. 5
1.3 – Identify internal and external stakeholders and their issues .................................... 13
1.4 – Review political, economic, social, legal, technological and policy context .............. 16
1.6 – Document critical success factors, goals or objectives for area included in scope .. 24
1.8 – Communicate with relevant parties about the risk management process and invite
participation ..................................................................................................................... 29
2.3 – Use tools and techniques to generate a list of risks that apply to the scope, in
consultation with relevant parties ..................................................................................... 36
4.1 – Determine and select most appropriate options for treating risks ............................ 51
1.1 Review organisational processes, procedures and requirements for undertaking risk
management in accordance with current risk management standards
1.4 Review political, economic, social, legal, technological and policy context
1.6 Document critical success factors, goals or objectives for area included in scope
1.8 Communicate with relevant parties about the risk management process and invite
participation
Risk management involves the ability for organisations to obtain a balance between realising
opportunities for gains while minimising losses. Essential to good management practices,
risk management is also an important element in the element of corporate governance.
The AS/NZS ISO 31000: 2009 is the most commonly used risk
management standard and is a set of principles and general
guidelines that can be considered when developing risk management frameworks and
programs.
The AS/NZS ISO 31000: 2009 provides organisations with principles and general guidelines
to be considered when developing risk management frameworks and programs. These are
broadly as follows:
1. Creates and protects value: effective risk management ensures that an organisation
can achieve its objectives
2. Integral part of organisational processes: the risk management process needs to be
an integral part of overall organisational processes to ensure that risks are identified
and controlled.
3. Part of decision-making: where risk is a part of decision making, this ensures that
decisions are made in the context of full knowledge of risks.
4. Explicitly addresses uncertainty: identifying risks means that organisations
understand what potential risks there are and can act accordingly.
5. Systematic, structured and timely: it is important for the risk management process to
be systematic, structured and timely.
6. Based on the best available information: using up to date and accurate information is
important to ensure that risks are accurately identified.
The legislative framework that you operate in usually stems from the requirements of:
• Acts
• Regulations
• Codes of Practice
• Standards
The WHS Act and Regulations require persons who have a duty (PCBUs) to ensure health
and safety to ‘manage risks’ by eliminating health and safety risks so far as is reasonably
practicable, and if it is not reasonably practicable to do so, to minimise those risks so far as
is reasonably practicable.
WHS Act
Work Health and Safety Act 2011 (NSW) aims at ensuring that WHS is managed effectively
in the workplace by ensuring that employees are protected from WHS risks.
WHS Regulations
Work Health and Safety Regulation 2017 (NSW) provide details on the health and safety
representative election processing, statutory notices and the details about incident
notifications.
The aim of the WHS Codes of Practice is to provide detailed information on how you can
achieve the standards required under the work health and safety (WHS) laws.
Standards
A standard is how specifications and procedures are designed to make sure that methods
and materials are fit for the purpose intended. They are documents that are published to
make sure that the standards are consistent across Australia. These standards can be found
at the SAI Global Limited and can be purchased through the website: www.saiglobal.com.
• Hazard Identification
• Risk assessment
• Implementation of Risk Control Measures:
• The hierarchy of controls
o Elimination
o Substitution
o Isolation
o Engineering
o Administrative
o PPE
• Review the effectiveness of the risk management process in your workplace as part
of your organisations continuously improvement process.
• Avoiding the risk: do not take the course of action that involves the risk
• Reducing the risk: take action to reduce the likelihood of the risk occurring or the
severity of the potential consequences
• Transferring the risk: transfer the responsibility for the risk to another party
• Financing the risk: cover the financial consequences of risk
• Retaining the risk: run the risk that the event may occur and bear the consequences.
Economic circumstances and scenarios – these are the risks caused from an action or
inaction that has an undesirable outcome. The losses in this scenario are usually called risks
which may be monetary or physical. For example; in response to a downturn in demand, an
organisation may retrench their staff so that they can keep operating.
Individual activities – these can include negligence, untrained personnel and those unfamiliar
with the organisation's procedures. Under WHS Law, employees have a legal responsibility
to ensure that they maintain a safe work environment. It is the responsibility of the employer
to ensure that the health, safety and welfare at work of all employees and others who come
on to the workplace.
Human behaviour – this refers to the range of behaviours that are influenced by a person’s
culture, attitudes, emotions, values, ethics, authority, rapport, hypnosis, persuasion, coercion
and/or genetics. Behaviour-based safety focuses on employee behaviour and aims to
minimise the cause of work-related injuries and illnesses.
Management activities and controls – these are usually guided by an organisation’s policies
and procedures and the appropriate job description. The level of risk in a management
position will vary according to their position, the amount of training or education that they
have and their level of experience. If you are in a management position, it is essential that
you make sure that you are aware of all of the risk in your work area.
Natural events – these are the effects of natural hazards such as floods, tornados,
hurricanes, volcanic eruptions, earthquakes and landslides. These types of hazards can lead
to financial, environmental and human loss. To counteract and minimise the risk to an
organisation and its employees, organisations – depending on the kinds of risks relevant to
an area – will put together a Natural Disaster Risk Management Plan that encompasses:
Political circumstances – these are a form of risk that is faced by investors, governments and
corporations. The level of risk can be controlled, as it is understood and managed from the
start. Organisations face political risk by making decisions that are strategic, financial or
personal.
There are many different types of risk that your organisation has to deal with. These include:
• Legal
• Financial
• Safety.
Responsibility for the risk rests on the organisation/people that have control of it. This
includes the person who controls the budget, the spending and who is responsible for
ensuring that decisions have been carried out.
It is important that your organisation has in place a systematic and holistic approach to risk
management, to protect your organisation and its assets. Risk is defined under the
standards as “the chance of something happening that will impact on objectives”.
Technically, risk is the probability of a threat agent that exploits vulnerability and the results
in impact on the business.
For example; your employees have been trained in WHS in the workplace. The vulnerability
is that, even though they understand WHS, they do not know when to start applying it. The
trainer emphasised that their duty of care started when they began work, so they did not
report a ditch in the tarmac at the main entrance until they started work. Heavy rainfall had
cracked the tarmac where it had been laid incorrectly. Overuse of the tarmac widened the
crack into a ditch, over time.
They were busy and did not use their common sense. In the time between entering the
workplace and they starting work, a truck hit the ditch and rolled before it exploded, killing
both the driver and his son (who rode with his father that day).
One of the most important aspects of any risk management plan is your ability to make sure
that risk is broken down to a basic state and analyse the impact for the organisation if risk
management practices and procedures are not followed.
Defining the scope of risk is not easy. All risks need to be recognised and, if required,
quantifiable. The scope should provide details of processes regarding risk and the
deliverables. A major part of this requires that a risk analysis is performed for your work site;
this necessitates that you identify and assess risks that may jeopardise your organisation’s
processes and ongoing success.
As with any other aspect of good organisational management, it is essential that you obtain
and maintain support of organisational members. Obtaining their feedback and ideas allows
them to create ownership for the risk management process. Studies demonstrate that when
people take ownership of a program, there is a higher level of success for that program.
We have now considered the types of risk that may affect an organisation. The scope of the
Risk Management Plan needs to consider what the plan may apply to and the variables that
may impact on the scope.
Before you consider the scope, it is important to have a clear picture of what you are
applying the scope to. For example, you may work in an organisation where the scope, in
the first instance, encompasses the whole organisation. The organisation also has several
projects running at the same time. The procedures used to identify and resolve or report the
risks during the initial development of the Risk Management Plan will usually be utilised for
individual risk analyses completed on each project.
Internal environment – there may be times when your partner’s internal processes are in
conflict with your own. When on a customer’s work site, their risk management processes
must take precedence over your organisation’s processes. Internal processes may include
policies, procedures and practices that include identification, assessment, control or
reporting of risk.
This does not mean that you should not ignore your own organisation’s procedures. In most
instances of your organisation’s historical records, you should still follow your organisational
procedures. This is to assist future individuals undertaking a similar project in the preparation
and management of their own project.
Whole organisation – the context of a risk management plan will assist in establishing the
whole risk management plan for the organisation. This means that you need to make sure
that you include:
The risk context will assist you in defining the purpose and importance of the scope for your
organisation and how risk assessments will take place. The scope will help define:
The stakeholders shall be either internal or external. Internal stakeholders are people who
support the organisation and who are internal to the organisation, including employees,
investors and management. External stakeholders include people who are impacted by the
organisation including the consumer and the community. It is important to know each
perspective and their objectives so that you can address their needs in the Risk
Management Plan.
Take the time to work out what each party’s interest in risk management is and use it to
determine their objectives.
Employees:
Employees need to be protected from risk. They require information that will assist them in
ensuring that the workplace is safe. Risks and the procedures on controlling and/or
minimising the risk should be made available to them. Employees need to be kept up-to-date
on safety issues and changes to legislation that will impact on their practices. Employers
must communicate changes to employees and provide training when necessary.
Internal Investors:
It can be argued that employees are investors in the organisation, in terms of investing their
knowledge and skills to the organisation to maintain safety. For the sake of this guide, the
investors are the owners of the organisation. They provide capital, to ensure that their duty
of care is maintained by guaranteeing that employees are provided with a safe work
environment.
Management:
Management needs to ensure that they balance providing support for the employees with
being accountable for working within their budget. Risk management decisions should
Customers:
Customers purchase the goods and services that the organisation either produces or sells.
They may be other organisations or individuals. When the customer purchases your product,
it is essential to make sure that the product is safe. Customers need to be confident that they
are not at risk.
Suppliers:
In the same instance, suppliers need to make sure that the products that they sell are free of
risk.
Creditors:
Creditors need to know that they are going to be protected, by ensuring that all legislative
requirements are met within your organisation; and
Government:
That all taxes are paid, and appropriate industry laws are followed and adhered to.
Now that you know what a stakeholder’s interest in your organisation is, you should change
their interests into objectives. Be aware that these objectives will become an important part
of the context of the Risk Management Plan. It is through these objectives that you will be
able to plan your risk management plan.
When developing a risk assessment, take the time to reflect on your plan to ensure that the
event/situation and the existing elements that may have an impact on the level of risk that
the stakeholders are exposed to are clear. Make sure that each stakeholder is aware of the
elements that may impact on their decisions. The success of any planning rests on ensuring
that the information provided is clear and up-to-date. Stakeholders can then make informed
decisions that will, in turn, assist you in developing the policies and procedures for the Risk
Management Plan.
For example, weather conditions of previous years indicate that staff will be exposed to
minimal risk of rock slide on a building site. However, one of the effects of El Nino saw an
increase in rain fall over the summer. Dried dirt has shifted and the chances of a mud slide
over the winter period have increased. Your contractor is concerned that the level of risk has
risen and the equipment left on-site shall be at a higher level of risk also.
Stakeholders would weigh the cost of insurance, putting in placing more safety practices and
the cost of replacement. The priority of this risk would rise as the chances of rain causing a
mud slide rose. By ensuring that the stakeholders have a report on the after effects of El
Nino, stakeholders’ decisions would be more informed and the budget and time allocated to
minimising the risk would be varied according to their responses.
Time is a highly regarded commodity and you are not able to spend too much of it studying
the market so that information you can present information (if so required) to make a
decision that will change the procedures of the organisation. You need to have a method
that will allow you to understand both the external environment and the interconnections
between its various sectors, and translate the understanding to planning and decision-
making processes.
This activity can be done through environmental scanning. Brown and Weiner (1985, p. ix)
define environmental scanning as “a kind of radar to scan the world systematically and
signal the new, the unexpected, the major and the minor”.
Control the flow of information – if staff are provided with too much information, information
overloading may occur. Employees may become confused trying to work out which
information is relevant and which is not. By controlling the flow of information, you are
ensuring that your team are provided with the appropriate information, so that they will be
able to provide an informed decision.
Keep managers up-to-date – information should be timely and should give managers time to
identify changes in market trends, market conditions and any other variables that will impact
on the final decision.
The way in which information is provided will vary between organisations, according to the
industry of the individual organisation; it will also vary according to the procedures and
requirements of the management team and stakeholders who will have an impact on the
decision-making process. The scanning of the external environment can be completed
internally or externally. Employees may be required to scan the market to identify changes to
trends. External organisations or bodies may be used to monitor the external environment.
The type of information gathered will vary. However, the streams of information gathered in
the external market will usually include:
The economic system is the organisation of the economy to allocate scarce resources. It is
governed by the needs of the individual departments. Resources are allocated according to
their priority of the organisation. For example, if your organisation has been audited, with
regards to its WHS, and the report stipulated that your organisation was not fully complying
with the law, then quick action would be taken to correct the safety of your internal and
external customer. This may mean that the organisation’s budgets would need to be
reviewed and reallocated, due to the reprioritisation of the decision-making process.
This example clearly demonstrates that decisions about resource allocation impact on the
decision-making process. Decisions of an economic nature can be influenced by:
• Capitalism
• Socialism.
The capitalist economic system is concerned with the production of profit maximisation
through investments and competition with other business owners. These systems may be
both regulated and unregulated.
The socialist economic system produces goods and services upon demand and ensures that
sufficient production is carried out for this end. This system is based on capital accumulation
seeking to control or direct the system through state ownership or cooperative control.
The social system is the use of attitudes, behaviours and ideas influenced by human
relationships. The incentive structure can be influenced by the social system. Using the
example above in the incentive structure, we can see that when employees to take
ownership for their actions, their productivity usually encourage increases which will release
resources (management) to perform other tasks.
The political/legal system creates the rules and frameworks within which business operates.
Government policy supports and encourages some business activities, e.g. enterprise, while
discouraging others, e.g. the creation of pollution. A political system is one of politics and
government that is usually compared to a legal or social system. A political system is
composed of a complete set of institutions, interest groups (such as political parties, trade
unions, and lobby groups), the relationships between those institutions and the political
norms and rules that govern their function.
Formerly a colony of Britain, Australia has one of the oldest continuous democracies in the
world that is shaped on pre-federation colonial parliaments, such as “one man, one vote and
women’s suffrage”. The Australian Constitution defines the following responsibilities
including those of the:
The Australian Constitution sets out the powers of government into three chapters:
The legal system in Australia has three sources that you may need to refer to. The sources
are:
The legal system can be a complicated process and the task to finding the relevant law may
be difficult, even for a lawyer. The basic legal system in Australia consists of:
• The fundamental belief in the rule of the law, where all people are treated equally
under the law
• That the common law system is formed on the basis of the United Kingdom’s
jurisprudence
• That the common laws system encompasses the law of precedence where judge’s
decisions are based on previously settled cases
• Nine legal systems – the eight state and territory systems and one federal system
which incorporates three separate branches of government – legislative, executive
and judicial.
Technological systems refer to material objects, such as machines and hardware that are
used by employees, to ensure that they are productive within their industry. The aim of the
technological system is to ensure that the human environment – such as the materials, tools,
techniques and sources of power – are utilised to make life easier and local more productive.
The aim of the study of technological systems is to understand the links between
technological systems and economic growth. This linkage can be observed after your
organisation purchases new technology. If the organisation aims to improve productivity,
then a purchase of equipment to allow the organisation to meet the demand means they will
be able to take a larger share of the market and ultimately improve their profits.
Another way the organisation can improve their productivity and profits is through the
improvement of processes or the quality of their output. For instance, employees may
identify a way to improve productivity, by changing or eliminating steps in the development
process without affecting output. Eliminating steps in the production process will also
improve productivity and more units will be produced to meet customer demand.
The policy context is the course of action the business takes in the decision-making process
that influences the way they make decisions and the actions that they take. Let’s refer to the
examples discussed in the technological system. One of the goals of the organisation is to
improve productivity. Imagine that the organisation becomes aware of a new computer
program that would revolutionise their industry by increasing productivity, so that they would
be a market leader.
However, due to the infancy of the technology, the price of the equipment would blow the
organisation's budget. In the same instance, a member of the organisation’s production team
identified a way in which to improve productivity, so that they are on par with the new
technology.
Preliminary investigations have identified that the improvement in processes would save the
organisation a lot of money, in that they would increase productivity. The policy context
comes into play here when the processes of the organisation will have an impact on the final
decision made.
What may be obvious to you may not be so to others. Your organisation's procedures may
be geared to the procurement of new equipment. The stakeholders of the organisation may
not believe that the processes that the employees and to put in place will meet their goals. If
you are manager, your goal would be to change the mind of the stakeholder.
As you are considering the development of the risk management plan, it is important that
you take the time to review the weaknesses and strengths of any existing risk management
arrangements. To use a systematic approach, you should perform a SWOT analysis.
SWOT is an acronym for strengths, weaknesses, opportunities and threats which make up
the four factors of the SWOT matrix. The aim of this tool is to produce a model that can
serve to provide direction in the development, formulation and assessment of risk
management plans. As an important step in the planning process, many organisations tend
to undervalue or omit it from the Risk Management Plan.
The SWOT analysis is straightforward and easy-to-use. The four factors are divided into
external and internal issues. The organisation's risk management objectives can be obtained
by analysing the information gathered in the tool. The SWOT analysis can assist in
identifying any potential obstacles to the success of the risk management plan, as well as
the flaws in the plan.
Risk management requires organisations to avoid, eliminate or, at the very least, minimise
identified threats and weaknesses. The organisation should scrutinise the weaknesses, to
ascertain whether or not it is possible to change them into assets. Identified threats should
be examined to see if there are opportunities to strengthen areas that have been eliminated.
The opportunities and strengths should be analysed to identify whether the threats and
weaknesses have met the organisation’s objectives.
Risk management is also central to strategic management and some organisations utilise
the SWOT analysis tool by determining the benefits of each activity that they perform, in
terms of risk management. This is done by focusing risk management processes and
determining the value of each potential value the ultimate strategies will apply to the
organisation. It makes the organisation consider the potential success or failure each
strategy that can be implemented and the impact that the strategy will have on the
organisation.
Risk management must be a continuous process that considers the past, present and future
activities of the organisation. The risks facing an organisation can result from both external
and internal factors that can impact on the organisation.
Some organisations consider these internal and external drivers and, at times, can overlap
over both areas. These can be further categorised into types of risk such as strategic,
financials, operational, hazard, etc.
1.6 – Document critical success factors, goals or objectives for area included
in scope
Critical success factors (CSFs) is the term for an element that is necessary for an
organisation or project to achieve its mission. CSFs are those few things that must go well,
to ensure success for an organisation and, therefore, they represent those enterprise areas
that must be given special and continual attention to bring about high performance. CSFs
aim to assist organisations in narrowing their results, and if their results are satisfactory, the
organisation will ensure the successful competitive performance for the organisation
(Rochart, 1979, p.84).
Your organisation's critical success factors need to match the areas that will assist the
organisation to succeed. CSFs need to maintain a high level of performance, so that the
organisation’s current and future needs are met. Grabowski and Roberts (1999) suggest that
the following four factors are designed to ensure the high level of performance that your
organisation needs. These factors include:
Galorath (2006) writes that the importance and essence of risk management requires five
activities that are:
4. Cultural imperative
Critical success factors should correlate with the pattern of values, ideas and thoughts
transmitted by the symbols that shape the organisation’s behaviour. For example,
management support demonstrates a support for an initiative. In this instance, risk
management is an important part of the organisation’s culture. If management demonstrates
the appropriate support for the organisation’s risk management culture, then the level of
team members who follow organisational procedures should increase.
The more information that is shared to the team, the greater the chance is that desired
behaviour will become organisation-wide. As more and more of the team start demonstrating
and participating in the risk management process, the clearer the organisation’s culture
becomes.
The importance of culture within effective risk management is that knowledge transference
requires individuals to come together to interact, exchange ideas and share knowledge with
one another. Moreover, culture creates individuals who are constantly encouraged to
generate new ideas, knowledge and solutions (Muller, 2009).
The relationships developed within an organisation involve the building of the organisation’s
structure. Think about your own organisation. What common vocabulary do the teams
share? How do they differ from other organisations within your industry?
Trust is also another critical success factor. Trust is the “willingness of a party to be
vulnerable to the actions of another party, based on the expectation that the other will
perform a particular action important to the trustor, irrespective of the ability to monitor or
control that other party” (Mayer, Davis and Schoorman, 1995, p.711).
For trust as a critical success factor to succeed, it is essential that risk management
processes include cooperation and teamwork. Trust is an important prerequisite to “changing
those related alliances, thus mitigating risk, as organisations are unwilling to adopt alliance-
like organisational structures that make them vulnerable to the fluctuation of the
environment” (McAllister, 1995).
To measure the success and/or failure of the organisation’s critical success factors, the
organisation must, according to the WHS Act 2011, maintain records of actions and
dangerous occurrences. By monitoring and reviewing the risk management process, the
organisation will be able to provide evidence that they are continuously maintaining and
reviewing the effectiveness of risk control.
These records can also assist management in identifying whether the organisation is
meeting its needs, with regards to the critical success factors.
For example, based on the three critical success factors discussed, measurement of
success can be demonstrated:
• When employees demonstrate that they are following the organisation’s culture by
adhering to the safety procedures in place
• That employees are building relationships by discussing and communicating
decisions and change with each other to identify the best practice
• That trust is being developed and reinforced as staff members become empowered
and take initiative with regards to risk management issues.
This trust is built on management’s ability to support their team and communicate changes,
so that their team members become empowered. In turn, they will be able to make informed
decisions.
Management support and commitment is one of the final critical success factors, with
regards to risk management. Management actions are important. They can be constructive
and build staff confidence; they can also be destructive, which can lead to the failure of
organisational initiatives. Destructive management is where management provides no
feedback and, if they provide feedback, it destroys staff morale.
To give constructive feedback to team members it is important to make sure that your
feedback is:
Supported with positive words – Be positive and make sure that your choice of words
demonstrates a positive work environment. The receiver needs to know that they are making
a positive contribution to the risk management process.
Descriptive and gives facts – Stick to facts. Be clear and specific to ensure that the receiver
know and understands the issue and what their goals are. Make sure that the receiver
knows, for example, how their failure to act will impact on the organisation, staff members
and management. For instance, if you identify a hazard and do not report it, a customer or a
member of your team may be injured – this will have a negative impact for management of
the organisation, in terms of loss of business, reputation, productivity or profits.
Aimed at supporting collaboration so that new ideas for improvement are devised –
Acknowledge all recipients’ efforts, even if they are not appropriate at the time. Failure to
acknowledge their input can lead to the failure of the recipients contributing in the future.
Creating an environment where people are empowered, productive and contribute happily to
risk management is an essential part of the success of a risk management plan.
Empowerment aims to enable an individual to take action and control their work and make
decisions in an autonomous way. It allows employees to feel that they are controlling their
own destiny.
• Demonstrate that you value them – Use positive body language and demonstrate
your appreciation for their contributions.
• Share vision – Help your team members to see the bigger picture by giving them
access to your organisation’s policies, procedures, mission, values and vision
statement
• Share goals and direction – Make sure that the team knows the direction of the group
and their connection to the rest of the organisation, so they obtain a sense of
belonging.
• Trust people – Trust your team members to make the correct decision to meet these
goals. In turn, when they are given clear expectations, they will learn to trust and
relax you.
• Provide information for decision making – Keep staff abreast with what is happening.
Informed decisions can only be made when team members are provided with up-to-
date information
• Delegate authority – Use opportunities to delegate authority to team members, so
that they can make become empowered and build confidence to operate
autonomously.
• Provide continuous feedback – Give rewards and recognition by acknowledging the
team members’ efforts. Work with the team to develop employee skills and
knowledge.
• Focus on the problem, not the people – What is the cause of the problem? Do not
automatically assume that a person’s actions are at fault. Is there a way in which
processes can be improved?
• Listen and ask questions – Show respect and treat people how you prefer to be
treated. Ask questions and encourage team members to ask questions, to either
reinforce their knowledge or to clarify information
• Reward and recognise empowered behaviour – Recognition and rewards that
acknowledge team member’s contributions will counteract any feeling of inadequacy
that team members may feel.
For everyone to be involved in the Critical Success Factors, it is imperative that they receive
ongoing support and training. This is part of an employer’s duty of care for each State and/or
Territory. Effective risk management plans have communication procedures in place that
give clear expectations for staff. Communication ensures that team members understand
and support not only where the team is now but also where they want to be (Clutterback and
Hirst, 2002).
Communication needs to also be addressed, with regards to any party that has an impact on
the Risk Management Plan. Relevant parties may include:
• All staff
• Internal and external stakeholders
• Senior management
• Specific teams or business units
• Technical experts.
Professionals, both inside and outside the organisation, also need to be informed about what
is happening. Communication does not only need to be verbal. It is essential for
professionals to be supplied with the information required to perform the correct tasks under
the WHS Act as part of their duty of care. Communication could include the update of
procedures or required participation in training.
It is also imperative to ensure that relevant parties are given a chance to clarify information,
so that they can improve the organisation’s channels of communication.
Team members need to use the communication process to understand their roles and
responsibilities in the risk management process. A clear understanding of the
communication process is required so that team members can be given an opportunity to
see how their contributions impact on the organisation.
2.3 Use tools and techniques to generate a list of risks that apply to the scope, in
consultation with relevant parties
Another form of good communication is the utilisation of consultation. This is a way in which
management not only provides staff with up-to-date information, but also provides
stakeholders and any relevant parties with the opportunity to assist in the identification of
risk.
Consultation with employees ensures that the organisation is proactive with regards to risk
management. Employers need to consult with employees during each step of the
consultation process. All types of hazards need to be identified and methods to eliminate or
control the workplace environment hazards and risks need to be created.
The WHS Acts and Regulations of each state and/or territory will contain legislation with
regards to consultation within your relevant State/s and/or Territory/ies. Even though they
will vary in each State and/or Territory, the following overview should be part of the
consultation process including:
Note that each form of contact includes employers and employees consulting with each
other. During the consultation process, team members may use a variety of tools and
methods to explore the options that could be available to them.
Stakeholders can only assist you when they have the information they need, so that they can
make informed decisions or recommendations. At times, this may not be a viable option.
This means that you may need to research the risk to determine whether a risk or hazard
can be eliminated or controlled.
Research is the search for knowledge through a systematic investigation, with an open mind,
to investigate ways to eliminate or control risk within the organisation’s procedures and
legislative requirements. The purpose of research is to discover, interpret and develop
methods and systems with regards to risk in a systematic manner.
For example, the repeated flooding of the shop floor in the back room, the WHS
representative gave the WHS Committee three recommendations with regards to either
eliminating or controlling the flooding. These recommendations may include:
o Purchasing a sign and allocating a staff member to maintain the area to minimise the
chance that anyone will slip;
o Hiring a pump to siphon the water into the drain behind the factory.
o Consequence analysis
o Influence diagrams
o Probability analysis.
You research the policies and procedures. The price of the equipment exceeds the budget
allocated for the department. The cost of a pump is negligible and suitable for the short term.
In today’s high-pressured globalised economy, money is usually scarce and reallocating a
member of your team to maintain the area, to minimise risk, will make your resources
scarcer.
In your search, you find that your organisation prioritises all WHS issues as the highest
priority. Failure to meet your industry’s minimum standards and a record of a member of
your team being injured could have a negative impact on the organisation. As such, it is
important to make sure that your decision ensures that the WHS issue is resolved as soon
as possible.
As reassigning a staff member and pumping the water from the area is a short-term
resolution, you may need to either purchase a new unit or obtain a second opinion to
determine if there are other viable options. When you are trying to make a decision on which
avenue you will take, it is important to make sure that you are going to meet your objectives,
but also that your decision is not going to eat away at your profit. This means that you may
need to research through other avenues, such as those listed below.
Information from other business areas – Business areas are part of your organisation's
operations. This may include product lines, branch offices or subsidiaries. For instance, if
you work at a branch of an organisation and a member of the team identifies a risk or
hazard, by consulting with another branch, you may find that they have already resolved the
problem and so you can act accordingly.
Lessons learned from other projects or activities – Records and documentation are
maintained and kept up-to-date for several reasons. One reason may be to meet your legal
obligations. Another reason may be so that you have access to the historical records of the
organisation. Historical records are documents stored away so that you can use them to
resolve hazards and risk in the workplace.
You may even need to review them so that you can identify what methods have been used
to resolve a hazard or risk in the past. There are times when procedures become obsolete,
Historical records of projects and activities can also be used to review the procedures that
may have been rejected in the past, but may prove current due to the changing structure of
the organisation.
Instead approach employees to find out if they have been exposed to a risk and/or hazard.
When a team member is familiar with a problem and how it was resolved, you may either
use their knowledge to resolve your organisation’s internal issues, or as a starting point to
resolve the organisation’s internal issues.
Public consultation – Public consultation is a regulatory process by which the public’s input
on matters affecting them is sought. Its main goal is to improvement the efficiency,
transparency and public involvement in large scale projects or laws and policies. Keep
Australia Beautiful (WA) is one such public consultation. Refer to the URL Address:
www.kabc.wa.gov.au – this will give you information on how public consultation operates in
Australia.
Review of literature and other information sources – A literature review is a review of the
writing/ literature that is relevant to your industry, which can be used to support, evaluate or
critique a decision that you are trying to make. A literature review is not just a summary of
Journals, such as industry journals, that may identify and explain how to resolve industry
risks and best practice to resolve hazards and risks inherent in your industry; and
Texts providing industry advice and assistance with ensuring that WHS standards are
maintained
Once you have completed your research you should also work in consultation with the
stakeholders of the work area. This can include:
• Employees
• Owners
• Suppliers
• Investors
• Contractors
• Industry sources.
Any other relevant party should also be consulted, so that a list of risks can be identified.
These risks should be relevant to the scope of the risk management process. When
gathering information, you may find yourself handling a lot of data. To be systematic in your
approach, you should take advantage of the tools and techniques that are available to you.
Brainstorms. These are an excellent tool that can be used to generate creative problem
solving. It is good to use brainstorming to bring together a wide range of personnel so they
can bring their diverse experience and meaning to the task of solving the problems that you
face. Brainstorming also assists in ensuring that you look at a problem from a different
perspective.
Brainstorming aims to get personnel out of their comfort zone and come up with innovative
and different ideas to resolve problems. Make sure that staff are very clear that no criticism
is allowed during the brainstorming session. Take the time to make sure that all incorrect
ideas are clarified and employees know the limits of the problem.
Group brainstorming is a good tool; however, many studies demonstrate that individuals who
brainstorm on their own have the greater chance of generating more ideas. This is ideal, as
individuals forget their own ideas in light of the ideas others are generating.
• Make sure that you provide the relevant parties with a comfortable environment
• That one member of the team is assigned with writing ideas in your organisation’s
preferred format
• Clearly define the problem that you would like to resolve
• Use icebreakers, if people are not comfortable working together
• Give people time to generate ideas so that they can generate as many ideas as
possible
• Do not criticise and try to make sure that everyone contributes new ideas
• Encourage people to have fun during the brainstorming session
• Make sure that are sufficient ideas to work with
• Take regular breaks, if your brainstorming session is going to be a long one.
Checklists. These are informational job aids, aimed at compensating for a human’s lack of
memory or attention. It can help you in performing the steps of a task in order and can be
used as a schedule. Checklists should be utilised to develop formal procedures that can
assist you in looking at the internal risk of activities.
Care should be taken when developing a risk, to ensure that you focus on a checklist that
helps you perform your task. They can be exhaustive. For this reason, you should control
how long they are.
Cause and effect diagrams can also be drawn to look like a tree. As with the fishbone, the
trunk of the tree or fish should lead to a final outcome. The large branches should represent
major categories and then the smaller links lead to smaller ideas that fall under that
category.
Flow charts
Flow charts are representative of a process and are used to demonstrate the steps involved
in the process.
Note that each step in the process is divided by arrows that connect the symbols. Flow
charts aim to demonstrate the steps in a process and the visual of the flow chart will allow
you to view problems in the process, so that you can take appropriate corrective action.
Scenario analysis
Scenario analysis involves the assessment of various potential future events and the
development of scenarios that will be likely to pass if specific events took place. Scenario
analysis can be helpful in risk management by reflecting on your analysis of the internal and
external environment and determining the events that may impact on your organisation’s risk
management plan.
Based on the information that you acquire, you will be able to predict possible scenarios that
will impact on your Risk Management Plan. There are five steps to the scenario analysis
process. They are:
1. Gather information about potential risks: this could be done through a range of both
internal and external sources.
2. Assess the likelihood of the risk occurring using the risk assessment legend.
3. Assess the severity of the potential consequences for the agency of the risk
occurring using the risk assessment legend.
4. Assign a ranking to the risk using the risk assessment legend. The ranking of the risk
will determine its importance in terms of risk management.
Once a list of risks has been identified, you will need to learn how to analyse the level of risk
so that you can identify how to minimise, control or eliminate the risk. It is the role of your
employer to ensure that a risk assessment is conducted. Risk assessments should also be
conducted when1:
When you consider the level of risk, you should consider the injury or disease causing the
hazard. As the level of risk rises, so too does the level of the hazards – this means that there
will be more chance that the risk will cause an injury. Part of your Risk Management Plan
needs to address risk assessments. The risk assessment needs to determine the likelihood
and level of injury (severity) or disease that can result from exposure to the hazard. When a
hazard is identified, your employer should make sure that they follow the regulations that
deal with that hazard. There are usually specific regulations that deal with the risk
management of occupational electricity, driver fatigue, falls from heights, confined spaces,
1
All notes are taken from the Occupational Health and Safety Code of Practice 2008
➢ Environmental conditions
➢ The work organisation – like rostering, shift arrangements and the pace in
which work should be performed
When talking about the likelihood, we are describing the probability or frequency of an injury
or illness occurring.
Risk Matrix
5 Fatality H E E E E
4 Major Injury H H E E E
3 Moderate Injury M M H H E
2 Minor Injury L L M H H
1 Negligible injury L L L M H
E
D C B A
Highly
Unlikely Possible Likely Very Likely
Unlikely
LIKELIHOOD
LEGEND
M
Moderate risk – Management responsibility must be specified
L
Low risk – Manage by routine procedures
➢ Minor injury (reversible health damage that may need medical attention but
limited ongoing treatment). This means that it is less likely to spend more
than a day off work.
➢ Negligible injuries (might sustain slight injury and may require only primary
first aid) and no time off work.
Moderate Injury Consequence and possible likelihood form part of standard Risk
Management, but you can decide if they meet your requirements.
➢ Disastrous
➢ Severe
➢ Moderate impact
➢ Minimal impact.
If there is an uncertainty about the level of risk, or a lack of information about the level of
exposure to the risk after a risk assessment, your employer will need to consider:
➢ Whether there is more information available
➢ Whether the organisation's culture and the behaviour of its staff add to the
risk, or are the actual risk factor; and
Once you have collected your data, you need to make sure that you familiarise yourself with
the risk management system in place, so risks can be managed and controlled. These
systems should be identified and form part of the risk analysis.
The risk analysis is the study of the likelihood and consequences where you should
ask:
➢ What is the likelihood of an incident occurring?
The level of risk created by an incident is determined by the analysis of combined impact of
likelihood and consequence. To properly identify levels of risk, the best information can be
found in the types of areas that you researched in Section 2 of this Learner Guide and may
have included:
➢ Available records
➢ Relevant experience
➢ Research
➢ Experiments.
Much of this information can be obtained through the consultative process that you have
developed with stakeholders, using the techniques discussed above.
There are three types of risk analysis. They are qualitative, semi-quantitative and
quantitative. The type of analysis that you do will depend on the data available. In practice,
most organisations will generally use qualitative analysis to obtain an indication of risk levels.
It is only when more specific and precise indicators are required that quantitative analysis is
applied.
Qualitative analysis uses scales to analyse the likelihood of an event occurring and its
consequences. These can be used to analyse different risks in different circumstances by
simply varying, adapting and adjusting them to suit.
➢ Where the level of risk does not justify the time and effort spent on a more
detailed analysis.
Expression Attributes
Expression Attributes
A fatality Death
Negligible injuries Might sustain slight injury and may require only primary
first aid, and no time off work
Risk Matrix
5 Fatality H E E E E
4 Major Injury H H E E E
3 Moderate Injury M M H H E
2 Minor Injury L L M H H
1 Negligible injury L L L M H
E
D C B A
Highly
Unlikely Possible Likely Very Likely
Unlikely
LIKELIHOOD
LEGEND
M
Moderate risk – Management responsibility must be specified
L
Low risk – Manage by routine procedures
When considering the opportunities, the likelihood measure need not change, as it will
describe the chance that a benefit will arise. The consequence measure must, however, be
adjusted.
An example is as follows:
Expression Attributes
-H -H -H -M M H H H
-H -H -M -M M M H H
-H -M -M -L L M M H
-M -M -L -L L L M M
Fatality
Fatality
Negligible
Negligible
Minor
Minor
Major
Major
Likelihoo
d
H = high opportunity, detailed planning required at senior levels to prepare for and capture
opportunity.
Another way to measure risk includes the hierarchy of control. The hierarchy of control will
be discussed in more detail in Section 4 of this learner guide.
There will be times when you will not have the skills, knowledge and experience to
complete a risk assessment of a work area. When this occurs, then you may need to
consult with an expert. Expert advice may include:
➢ Federal, state and local government regulatory authorities
4.1 Determine and select most appropriate options for treating risks
There are times when the most effective control measure cannot be implemented
immediately. Lack of funds, resources or physical means that employers will need to identify
and prioritise the implementation of a control measure – this will be determined according to
the organisation’s risk profile for the hazard. High-level risks should be implemented before
medium and low-level risks. Remember, a risk profile is how the organisation rates the
hazards, such as whether a risk is low, medium or high level risk.
Your employer has a duty of care to ensure that employees have a safe work environment to
work in.
This means that part of their Risk Management Plan is to eliminate the risk and, if they
are unable to eliminate the risk, they need to minimise it by:
➢ Controlling employees exposure to the risk
To do this, employers should use the Hierarchy of Control pyramid. The Hierarchy of Control
pyramid aims to assist employers with the appropriate way in which to control risk. It
includes:
The following section is adapted from the WHS Code of Practice 2011. Employers need to
start at the top of the hierarchy and work their way down. The hierarchy of control pyramid is
structured in the following way.
➢ Lack of awareness
➢ Stress
➢ Fatigue
Elimination includes:
➢ Removing trip hazards
The best time in which to use elimination is at the design stage of a process, equipment or
plant. This is referred to as a safe design; these practices are applied all at once and have a
positive impact on health and safety in the workplace. When no hazards exist, no risk, injury
or illness exists. When elimination is not appropriate, then your employer should minimise
the risk by substituting or modifying he hazard.
The aim of isolation is to separate the employees from the hazard. This can be performed by
putting up signs and barricades or placing the hazard in a separate room; thereby removing
the hazard from the main work area.
Engineering controls is the next control option to minimise risk within the hierarchy of
controls. Engineering controls includes engineering modifications to plant or to a system of
work needing to be changed.
The final control measure under the hierarchy of control pyramid is the use of personal
protective equipment (PPE). PPE should only be used when the higher control measures are
not appropriate or adequate. They can be used as a final barrier between the hazard and the
employee. The use of PPE may require your employer to make sure that you change your
behaviour, as it does not control the hazard. The PPE must be appropriate for the type of
work the employer/employee is doing.
Employers should train employees and contractors in the correct use and maintenance of
PPE. Supervision would also be needed, to make sure that staff are compliant in the use of
the Personal Protective Equipment.
• Postures, movements, forces and vibration relating to the hazardous manual task;
• the duration and frequency of the hazardous manual task;
• workplace environmental conditions that may affect the hazardous manual task or
the worker performing it;
• the design of the work area; the layout of the workplace;
• the systems of work used; and
• the nature, size, weight or number of persons, animals or things involved in carrying
out the hazardous manual task.
• Implementation of policies and procedures to ensure that staff understand and follow
appropriate procedures.
• Implementation of quality and compliance processes, for example, regular auditing to
ensure that risk management standards are met.
• Providing staff induction, ongoing training and performance management in relation
to risk management
• Ongoing monitoring of risk through a range of measures such as historical data, team
meetings or performance reviews.
• Development and implementation of continuous improvement processes to ensure
that risk management processes are reviewed and monitored.
• Implementing quality assurance procedures and systems to ensure that risk
management processes are regularly checked, reviewed and monitored on an
ongoing basis.
The aim of a risk management action plan is to ensure that risk management is embedded in
the culture of the organisation and to ensure that the organisation maintains risk
management best practice. It outlines how an organisation is going to identify, minimise
and/or control the risk, including monitoring and reviewing the risk management process.
This should include what the risk management plan is for. You may even write
a Risk Management Statement
What are the organisation’s goals? I.e. to ensure that the highest levels of risk
are identified and properly management, risk is focused where it is needed.
How does your Risk Management Plan benefit your organisation? E.g. meet
your legal obligations
What is the organisation’s background and the areas where risk management
has been applied? E.g. may include policy and procedures, the use of
specification, equipment checks, tests and quality assurance.
3.4. Timeframe:
The timeframe should consider who obtains copies of the Action and Risk
Management Plan? When? Other factors that may be included are: training,
timeframes for review and when documentation should be completed and
submitted to the Board/Manager, depending on the size of the organisation.
Most organisations review their plans annually and align it with their planning
process. Continuous improvement is a legislative WHS requirement, so
organisations must demonstrate that they are working to improve their
operations.
This section should include the risk exposures present within the organisation, as
demonstrated by the above graph. The meaning of the graph includes:
o Residual risk – the remaining level of risks after risk measures have been
undertaken.
o Under action – A plan is in place for the action to be done, including who is doing
the plan, the resources needed, the costs and timing targets.
o Controlled – Refers to the level of risks that have been controlled and maintained at
an acceptable level.
o Based on the findings, the scope would probably need to be reviewed, so the
progress is maintained within the Risk Management Plan
Once you have completed your risk management action plan, you need to communicate the
plan to the appropriate parties. The information communicated should align with the needs of
the recipient.
For example, a line worker would only need the information to perform their duties and tasks
correctly. Line supervisors would need sufficient information to make sure that their team
has the knowledge to perform their tasks correctly. This would also include making sure that
their team had access to documentation and procedures, so that the empowered team
member would be able to make informed and up-to-date decisions, with regards to their jobs
and their work area.
The information that will be communicated will vary between organisations and may include
the following internal reporting and communication:
Risk Management ➢ Coordinating the regular formal updating of Business Unit and
Committee corporate Risk Registers and Risk Treatment Action Plans and
compiling a master set;
➢ Maintaining corporate risk and risk control information;
➢ Ensuring that all relevant risk areas are considered, including those
emanating from the services of external providers and contractors;
➢ Analysis and reporting to the organisation’s executive;
➢ Ensuring appropriate linkages to the organisation’s business and
corporate planning processes and, where necessary, to budget
processes.
Information must be made available to all stakeholders, so that all members of the team are
protected from risk. The more current the information is, the better position stakeholders will
be in to provide informed decisions.
When providing information to team members, it is important to make sure that they do not
access information that exceeds their level of authority. Breach of privacy of personnel and
stakeholders can bring with it hefty fines and, in some cases, fines. If you are in a position
where you are not aware of the level of authority that a stakeholder has, consult your
organisation's policies and procedures or consult with management. If necessary, consult
with your client to obtain permission for external parties to help in managing risk.
➢ Ensure that they have sufficient information to consider alternatives and the
feasibility of suggestions.
When you communicate information, make sure that it is in a format that is easy to access
and understand. For example, if you are required to provide personnel with a lot of facts and
figures, then the information will be easier to read if it is in a graph to demonstrate a change
The way in which information is communicated will vary according to the policies and
procedures of the organisation. Emails are an excellent way to keep a record of staff that
have received their emails and allow the organisation to maintain a trail to demonstrate their
continuous improvement process.
As a part of the consultative process, it is important that you discuss the hazard with relevant
stakeholders, with regards to the evaluation of the Risk Management Plan. This means that
you should communicate with:
Your organisation has a legal obligation to maintain records of all hazards that have been
identified by staff within a work area. Most State/Territory legislation requires that a
workplace keeps certain records for a specified period of time. It is important to make sure
that you know how long these records should be kept in your State/Territory.
Other records, such as health and safety in the workplace, should be kept as part of the risk
management process. It is important to make sure that your team and any other personnel
within your organisation are aware of the organisation's record-keeping requirements, where
the records can be found and how to access to them. Record keeping is a good work
practice and should increase the efficiency of the workplace.
Documents are recorded to ensure that the State/Territory WHS Act is complied with.
Risk is recorded to:
➢ Ensure that the risk management process follows the correct legislative
requirements
➢ Provide management and decision makers with a plan that ensures that risk
exposures are addressed in a logical manner
➢ Risk register
These documents leave a trail. This trail provides evidence that the organisation is
complying with their legal obligations. The aim of this evidence is to ensure that your
employer can:
➢ Demonstrate that the risk assessment process is conducted properly
➢ Provide management and other decision makers with a plan that addresses
the key exposures for the organisation in a logical and prioritised way
➢ Provide an audit trail for the follow-up of key actions related to the exposures
being addressed
Files need to be secured, to ensure that unauthorised personnel cannot access them. To
ensure that the organisation’s confidentiality and the privacy of the team members and
external specialists are maintained, files are usually kept under lock and key, in a secured
location. This may be a storage facility separate from the organisation or a secured room
designated for the files.
Once an action plan has been developed, it needs to be implemented as soon as possible. It
is important to make sure that the action plan is reported to workgroups and stakeholders.
The information that you need communicate in every step of the process includes:
➢ Decisions made, with regards to resolving a hazard
➢ How the benefits of the change will benefit all parties. Research has shown
that if stakeholders understand how a specific change impacts on them, they
will be more than inclined to take ownership of the change
For your action plan to succeed, you need to make sure that you gain the support and
cooperation of key personnel at all levels. This means that you need to make sure that you
communicate your action plan to key personnel and that you create awareness of the plan.
o Offering bonuses and rewards for goals that have been met
This means that you should perform regular updates to make sure that the
corrective action is appropriate, conduct periodic reviews to make sure that
risk management and ensure action plan goals are being met and that the
corrective action is still appropriate.
Risk management is an ongoing process. Risks will change as the environment changes.
For example, you introduce a new piece of equipment to a work site. New risks will arise
when the equipment makes a job easier or changes the way in which other tasks are
perform. Risk will arise by the introduction of the equipment.
Good risk management places emphasis on monitoring and reviewing all current
organisational plans, strategies, systems and controls. Monitoring ensures that, as risks
change, new control measures are introduced.
Ongoing review of the risk management process is required, to ensure that the plan remains
relevant to the workplace. Factors that may impact upon risk assessments and control
measures can also change over time. This means that the risk management process should
be repeated regularly, to ensure that the risk management process remains effective.
There are many methods that can be used to monitor and review procedures and
these should be considered part of your management plan. You can complete:
➢ Self-assessments
➢ Physical inspections
➢ Key dates, time frames and deadlines should be set for communicating,
monitoring, reporting and review.
➢ Would you make a decision to contract or expand the risk program based on
this information?
Brown, A., & Weiner, E. (1985). Supermanaging: How to harness change for personal and
organisational success. New York: Mentor
Mayer, R.C., Davis, J.H., & Schoorman, F.D. (1995). “An integrative model of organisational
Trust”, Academy of Management Review. Vol. 20 (3), pp. 709 – 734
Muller, R. (2009), Critical Success Factors for effective risk management procedures in
financial industries: A study from the perspectives of the financial institutions in Thailand.
Umea University. Master Thesis
Rochart, J.F. (1979). “Chief executives define their own data needs”, Harvard Business
Review, Vol 57 (2), pp.81-93.
SafeWork NSW
URL Address: www.safework.nsw.gov.au
Access Date: 30.10.2019